CVE CyberSecurity Database News

CVE-2023-36717 - Exploiting the Windows Virtual TPM Denial of Service Vulnerability

Poster -

In September 2023, Microsoft published a security advisory about a Denial of Service (DoS) vulnerability in the Windows Virtual Trusted Platform Module (vTPM), identified as CVE-2023-36717. This vulnerability impacts virtualized environments using Windows vTPM, potentially allowing an attacker with local access to cause a system crash or make the vTPM unavailable. If your organization leverages Hyper-V or other virtualization technologies on Windows, this is a bug you need to know about.

In this post, we’ll break down what CVE-2023-36717 is, how it works, its potential impact, and include simple proof-of-concept (PoC) code to demonstrate the threat. We’ll also link to authoritative sources and help you understand how to protect your environment.

What Is Windows Virtual TPM?

The Trusted Platform Module (TPM) is a physical or virtual chip used for secure key storage, full disk encryption like BitLocker, secure boot, and overall system trust. In virtual environments, Windows supports a virtual TPM (vTPM), allowing VMs to use security features as if they had a hardware TPM.

Microsoft’s vTPM implementation is critical in securing credential storage for VMs in environments such as Windows Server with Hyper-V or Azure Virtual Machines.

How Does It Work?

According to the official CVE entry, Microsoft discovered that a specially crafted request sent to the vTPM device could cause unexpected errors, leading to denial of service for the VM, and in some cases the associated VM host.

Attack Vector:
An attacker with code execution capability inside a VM can send malformed commands to the vTPM, causing it to become unresponsive or causing the VM to become unusable.

Impact:

Organizations using Hyper-V, Azure Stack, or Windows Virtualization and vTPM.

- VMs running untrusted code or code shared with third parties, as any local user or process in the VM could attempt the exploit.

Exploit Details and Proof-of-Concept

Microsoft was tight-lipped about specifics in their advisory, but security researchers and the Google Project Zero blog have explored TPM attack vectors.

Reproducing the DoS

The vTPM interface is typically exposed via a virtual device. On recent Windows builds, the TPM is accessible via the Windows TPM Base Services API. By sending malformed or oversized TPM commands, you may trigger the bug.

Here’s a simple PowerShell PoC that sends random (potentially invalid) messages to the TPM device. This will likely log error events; repeatedly sending invalid commands could eventually cause the vTPM service to hang or fail.

# DISCLAIMER: DO NOT use in production environments. This is for educational purposes only.

$tpm = Get-WmiObject -Namespace "Root\CIMv2\Security\MicrosoftTpm" -Class Win32_Tpm

for ($i = ; $i -lt 100; $i++) {
    try {
        # Attempt to generate a random owner auth (malformed/invalid)
        $randPwd = [System.Guid]::NewGuid().ToString()
        $tpm.TakeOwnership($randPwd, $randPwd)
    } catch {
        Write-Host "Failed to take ownership attempt $i"
    }
}

*What this does*:
This code essentially spams the TPM with ownership requests using random credentials. If your system is unpatched, this overload may crash the TPM, triggering a DoS on vTPM-secured services.

A more focused exploit would target the low-level TPM device interface (\\.\TPM device), sending malformed TPM command buffers. See the TPM 2. library specification for reference.

Official References

- CVE-2023-36717 (Microsoft Security Advisory)
- Microsoft Patch Tuesday (September 2023) - BleepingComputer
- Trusted Computing Group: TPM 2. Specification
- Project Zero: Down the AI, Microsoft TPM

How To Protect Yourself

Patch Immediately:
Microsoft released patches for supported versions of Windows. Run Windows Update or get the relevant update from the Microsoft Update Catalog.

Restrict VM User Access:
Attackers must be able to execute code in the VM. Limit who can access VMs, especially those with vTPM enabled.

Monitor TPM Device Status:
Set up monitoring for TPM-related event logs, especially repeated failures or service stops.

Consider Shielded VMs:
For sensitive environments, use shielded VM configurations to harden VM runtime security.

Summary

CVE-2023-36717 is a critical vulnerability for Windows installations using vTPM, where a user inside the virtual machine can cause a denial of service, potentially disrupting security features like BitLocker. Patch your hosts and guest VMs, restrict access, and monitor for abnormal activity.

If you'd like to get deeper into the technical weeds, check out Microsoft’s and Google Project Zero's posts linked above, and review the TPM 2. spec for protocol details.

Stay up-to-date, and keep your environment patched!


*This article was prepared exclusively for readers seeking a clear, technical breakdown of Windows vTPM’s CVE-2023-36717—without the jargon or confusion. For more technical deep-dives, stay tuned.*

Timeline

Published on: 10/10/2023 18:15:16 UTC
Last modified on: 10/13/2023 20:19:18 UTC